Posts in category Marc van Eijk

In the last two years we have performed numerous deployments of Windows Azure Pack. Enabling the Cloud OS for Service Provider and Enterprises. We have gained serious experience with these engagements. Besides technical knowledge, we have also learned that the success of cloud services starts with the people in the organization itself. Many organizations still have different departments for the underlying fabric components. These departments work in silos, each having their own targets and priorities. ITSM tooling is in place for digital processes between the silos. In theory this sounds like a solid construction, but in reality it is slowing these departments down, forcing the internal customer to look alternative cloud services, resulting in shadow IT.

The key to a successful project is the collaboration of all the involved departments. Depending on the size of the organization you can form a team consisting of all the departments or a key user from each department. It is crucial that they start to understand the value of abstraction, self-service and automation. Normally they already have parts of that implemented within their own department, but now it spans all departments.

Don’t get me wrong. This is not easy. It is actually the hardest part of a successful cloud transformation.

I have heard a lot of folks say that Windows Azure Pack and all depending components for its cloud services are hard to implement. I felt like that when I started with Windows Azure Services for Windows Server (the predecessor of Windows Azure Pack) in 2012. But in the end it is just like learning to speak and write another language. Once you master it, it is repeatable. You can dictate the software. How different is this with people. Every person has its own language that you must get to master in some degree. But you can never dictate them.

I was asked this week: “What is the reason that you are so successful in the Netherlands with Cloud OS deployments?”

It is a small country, three and a half hours is about the longest drive you can do, without driving in circles of course or hitting traffic (the downside of a lot of people on a tiny piece of earth).

Windows Azure Pack was released in October 2013. It enables you to provide cloud services from your own datacenter. Although Microsoft is working towards more consistency between Microsoft Azure and Windows Azure Pack there are still many differences between the two. I can remember someone at TechEd North America explaining to me that Microsoft Azure and Windows Azure Pack are like two circles, that currently have some overlap. Microsoft is working hard to get more overlap in these two circles and eventually ending up with one circle. You probably have seen that end state many times. It is the Cloud OS vision. With in the middle ONE Consistent platform.

But we are not there yet. There is still a lot of work to be done.

So when will Windows Azure Pack vNext be released?

Microsoft recently announced that Windows Server and System Center will get their final release in 2016. Based on that information I get a lot of questions on the future release of Windows Azure Pack.

Let me ask you this. Are you always waiting for that new phone to be available? And by the time that phone is available, another new phone with new features is announced. You decide to wait some more . In the end, you never make a decision.

The only thing constant in IT is change. We get access to new features that enables new scenarios. New scenarios creates new challenges. Which results in other features being developed to solve those challenges and opening new scenarios again. There is always some new feature or version on the horizon. You can wait for ever and do nothing or evolve with the features and scenarios as they become available.

Do not wait. It is even super important to get started today, if you haven’t already. Windows Azure Pack provides IAAS, Websites, Database as a Service, Service Bus and Automation and there is a rich eco system with 3rd party solutions that enhance the stack even more. You can benefit from cloud services in your own datacenter TODAY!

We use Windows Azure Pack already. How long do we have to wait for new features?

Now, this is interesting. Microsoft releases an update rollup to all the System Center products and Windows Azure Pack every quarter. Initially these were mainly fixes to issues in the platform. But looking at the number of features that are added in the more recent update rollups that is changing drastically.

These aren’t minor changes either. It greatly improves what already is a rich platform today. But it also ensures that you get access to new features in the current version every three months FOR FREE!! How cool is that. And YOU get to decide what features will be part of the upcoming update rollups by submitting suggestions or voting for existing suggestions on the user voice.

Besides his mobile datacenter, Carsten Rachfahl also brings his recording equipment to every event. He asked me for an interview a couple of times but we never got round to it. At the Technical Summit in Berlin I met with Carsten and we finally got some time to talk. Check out the recording here

Did you ever have a look at all the work Carsten is doing? It’s just unbelievable. As an Hyper-V MVP he makes podcasts, interviews, blog posts, presents at events and also finds some time to works. We did a podcast on Windows Azure Pack about a year ago.

Carsten’s blog is in German, but still very interesting to check out. Have a look at here.

Windows Azure Pack was released in October 2013 and allows you to provide cloud services that are running in your own datacenter. Since its release we have deployed a lot Cloud OS environments. Most if not all deployments contained or were centered around Infrastructure As A Service.

To enable infrastructure as a service in your datacenter you need a couple of components.

As a tenant in the Windows Azure Pack portal you can interact with virtual machines and virtual networks.

For deploying virtual machines you can choose between two methods.

Stand alone virtual machine

VM Role

Stand alone virtual machine

The stand alone virtual machine is a one to one mapping to a VM Template in Virtual Machine Manager. The properties of the stand alone virtual machine live in VMM and can only be changed there. The stand alone virtual machine can be used to deploy a virtual machine with an operating system. The deployment wizard in Windows Azure Pack is easy and straight forward but cannot be customized. You are bound by the options in the existing wizard and the capabilities of the VM Template in Virtual Machine manager.

VM Role

The other method Windows Azure Pack provides to deploy virtual machines is the VM Role. The VM Role uses the service template engine in Virtual Machine Manager and combines that with a customizable deployment wizard in Windows Azure Pack. On top of the stand alone virtual machine method the VM Role provides the following capabilities

Application deployment in the virtual machine as an integral part of the deployment process

Customizable deployment wizard

Better interaction capabilities with Service Management Automation

Deploy and manage a single tier of one or multiple instances.

Servicing of the application through tenant configuration

Versioning of the VM Role with application updating capabilities

Stand alone virtual machine or the VM Role? Now this looks like an easy choice. And every customers reaction to this comparison is similar. The VM Role it is.

But…. There is one important thing to point out. The VM Role uses differencing disks.

Differencing disks

A differencing disk is a virtual hard disk you use to isolate changes to a virtual hard disk or the guest operating system by storing them in a separate file. A differencing disk is associated with another virtual hard disk that you select when you create the differencing disk. This means that the disk to which you want to associate the differencing disk must exist first. This virtual hard disk is called the “parent” disk and the differencing disk is the “child” disk. The parent disk can be any type of virtual hard disk (fixed or dynamically expanding). The differencing disk stores all changes that would otherwise be made to the parent disk if the differencing disk was not being used. The differencing disk provides an ongoing way to save changes without altering the parent disk. Multiple child disks can use the same parent disk.

The VM Role uses differencing disks for its virtual hard disks. A VM Role consists of one Operating System disks and optionally one or more data disks. In the VM Role configuration you define information (metadata) about each disk of that VM Role. The metadata is a family name and a version number. Additional filtering for the Operating System disk can be set with tags.

Since a couple of months I’ve been getting my hands dirty with Azure Resource Manager. PowerShell is one of the possible ways to interact with this awesome new feature that Microsoft has introduced to the Azure platform. As you probably know, the Azure PowerShell module allows you to connect and interact with your resources in Azure. You can connect to your Azure subscription from PowerShell with certificate based authentication or with Microsoft Azure Active Directory authentication.

For most situations I use Microsoft Azure Active Directory authentication. The procedure for logging on to your subscription is easy. Install the latest PowerShell module and run the Add-AzureAccount cmdlet. You will be prompted with a interactive login page.

The sharp observer will notice that someone at Microsoft needs to put a penny in a jar every time the Add-Azure cmdlet is used.

You can use your Microsoft account or Organizational account to login without the need of any management certificate or publish settings file. A description of both account types can be found here.

Organizational account is an account created by an organization’s administrator to enable a member of the organization access to all Microsoft cloud services such as Microsoft Azure, Windows Intune or Office 365. An Organizational account can take the form of a user’s organizational email address, such as username@orgname.com, when an organization federates or synchronizes its Active Directory accounts with Azure Active Directory.

Microsoft account, created by a user for personal use, is the new name for what used to be called “Windows Live ID”. The Microsoft account is the combination of an email address and a password that a user uses to sign in to all consumer-oriented Microsoft products and cloud services such as Outlook (Hotmail), Messenger, OneDrive, MSN, Windows Phone or Xbox LIVE. If a user uses an email address and password to sign in to these or other services, then the user already has a Microsoft account. But the user can also sign up for a new one at any time.

I have two different accounts. One account is an Organizational account and the other is a Microsoft account.

The community is equivalent to sharing knowledge and helping each other. One of those super motivated community members is Carsten Rachfal. I finally met him at the MVP summit. Somewhere during that week we had to walk from one building to another. I noticed has was dragging along a mobile office. Carsten explained that it contained his complete datacenter. Or to be more precise, a laptop with some crazy specs that contained the complete Cloud OS. He did a lot of work creating a completely automated installation of all the Cloud OS components with HA and perform functional configuration to end up with an environment that was demo or (if it wasn’t for the hardware) even production ready. No single click needed after the deployment process. There was one piece missing in his complete puzzle.

He had asked me a couple of times if I had a solution to complete his masterwork. But that is another thing about the community. Time. Somehow you never have enough of it. This week another reminder popped up in a DL and I forced it to the top of my priority list. His question was

I want automate the configuration of a high available RD Gateway for Windows Azure Pack Remote Console. How can I set the RD Gateway server farm members with PowerShell?

Carsten is a smart man. He has been struggling with this issue for a couple of months and it was going to complete his masterwork. He had looked at all the possible angles already.

The Cloud OS was implemented in our lab environment directly after the release of the 2012 R2 bits. That was a little over a year ago. The Windows Azure Pack installer creates multiple self-signed certificates that are used for different websites. In a simple Windows Azure Pack express installation you will get fourteen self-signed certificate. Looking at these certificates you will notice two different types. Most certificates are web server certificates assigned to a Windows Azure Pack website in IIS. There are also two signing certificates. The signing certificates are used by the Windows Azure Pack authentication sites.

I’d like to point out that one of the post deployment tasks for every environment should be to replace the default self-signed certificates with trusted certificates. This is possible for all default certificates but not for the two signing certificates used for the authentication sites.

All self-signed certificates created by the Windows Azure Pack installer have an expiration date of one year after the deployment. If you are still using self-signed certificates and they have expired after a year, you can just delete the expired certificates from the personal computer store with a certificates snap-in in an MMC and rerun the Windows Azure Pack configuration wizard after that. My fellow MVP Stanislav Zhelyazkov has already blogged about this previously here.

Unfortunately is the self-signed authentication signing certificate recreated with the information stored in the Windows Azure Pack database, including the original expiration date. Recreating the authentication signing certificate by deleting it from the personal computer store and recreating it by running the Windows Azure Pack configuration wizard results in the same issue. An expired self-signed authentication signing certificate.

After making some changes in the database I was able to recreate the certificate with a new expiration date. But as you might now, hacking the database is not supported.

Working with some smart folks from the WAP PG, we were able to convert my non supported database hacking and slashing into a supported procedure by using the following PowerShell script.

Two months ago I published a blog on the Windows Azure Pack Tenant Public API. This API allows you to interact with your cloud services using PowerShell over the internet and certificate authentication. The Microsoft Azure PowerShell module provided cmdlets for Windows Azure Pack as well. As you might remember from that blog was the lack of VM Role cmdlets. There was a workaround that worked but was somewhat complex to configure and maintain.

A new version of the Microsoft Azure PowerShell module has been released. This new version also contains various new cmdlets for Windows Azure Pack.

New-WAPackCloudService

Get-WAPackCloudService

Remove-WAPackCloudService

New-WAPackVMRole

Get-WAPackVMRole

Set-WAPackVMRole

Remove-WAPackVMRole

New-WAPackVNet

Remove-WAPackVNet

New-WAPackVMSubnet

Get-WAPackVMSubnet

Remove-WAPackVMSubnet

New-WAPackStaticIPAddressPool

Get-WAPackStaticIPAddressPool

Remove-WAPackStaticIPAddressPool

Get-WAPackLogicalNetwork

As you can see it also contains new cmdlets for interacting with cloud services and the VM Role.

You can download Microsoft Azure PowerShell module 0.8.6 through the Web Platform Installer with this link.

The VM Role is a custom configuration that can consist of many required and optional fields. As with the GUI wizard some values must be provided for the PowerShell cmdlet. Creating a new VM Role with the New-WAPackVMRole cmdlet requires some input.

If we take a look at the ResourceDefinition of an existing VM Role there is still some configuration requirement, but it is a huge improvement compared the previous procedure.

Installing Windows Azure Pack in a lab environment is relatively easy. You control all the environment variables. Changes to operating systems, required permissions or other settings are within your own hands.

How different is this when you implement Windows Azure Pack in a Service Provider or Enterprise Organization environment. All kind of security requirements are in place. Each change in the environment is preceded by a request for change procedure. Planning, prerequisites and design documents are essential from the start of the project. If you have not invested in these upfront you will find yourself confronted with a new change each time that, in its turn, results in another RFC with accompanying handling time. Within a couple of days your teeth marks will be visible in the steering wheel of your car.

(Previously) a prerequisite for Windows Azure Pack:

Windows Azure Pack requires a SQL server running in mixed authentication mode and the SQL instance must be running on the default SQL port 1433

But the security policy at the Enterprise Organization or Service Provider dictates:

The SQL Server must be in Windows Authenticated mode only using a named instance and non-default SQL port

Most deployments start with an installation in a development environment that reflect the production environment. In the development environment the SQL configuration that is required for Windows Azure Pack is tolerated but flagged. Once we move to production the RFC can possibly block the implementation.

I contacted the folks from the Windows Azure Pack program group a couple of months ago. They provided the means to configure Windows Azure Pack with a named instance and against a non-default SQL port. It was OK to use this configuration for the development environments, but they needed some additional testing to validate that this configuration would not break in hotfix or upgrade scenarios.

Named instance and non-default SQL port

It is now supported to configure Windows Azure Pack with a named instance and a non-default SQL port. Configure the database connection in the configuration wizard with the following format.

<SQL Server>\<Instance>,<Port number>

In this example

SQL01\hypervu,10001

SQL Authentication

Windows Azure Pack does still require a SQL Server in mixed authenticated mode. During the installation SQL accounts are created that are used in the encrypted part of the web.config file of each Windows Azure Pack website. But if this SQL authentication discussion comes up in a project consider this:

A long time ago, Microsoft recommended “When possible, use Windows Authentication” for SQL databases. That recommendation was not based on security issues with SQL authentication. It was a best practice for applications which would work better with pass through user authentication rather than using a service principle. That statement was interpreted by most organizations with “you should never use SQL authentication”.

Is that statement (still) true or is SQL authentication a secure choice?

The best example of using SQL authentication for databases is Microsoft itself. Microsoft Azure SQL Database (database-as-a-service) supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported.

If Microsoft wasn’t comfortable using SQL authentication, they wouldn’t run a few hundred thousand SQL servers. That are on the internet!!

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.

Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.